Closed Bug 1234842 Opened 9 years ago Closed 3 years ago

Firefox crashes while playing sound in JavaScript-Recursion (Data URI .wav)

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Version:
42 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INACTIVE

People

(Reporter: dennis.knobloch, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:dos])

Crash Data

Attachments

(3 files)

FirefoxCrash.html (proof of concept)
4.19 KB, text/html
Details
bug1234842_jprof.html
2.57 MB, text/html
Details
Crash stack on Linux
3.41 KB, text/plain
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: Open a HTML file. Click on Button "Crash Firefox". Actual results: Firefox crashes. Crash-Report opens up. Expected results: Firefox should stop the JavaScript.
This reproduces on Nightly still, and crashes the content process in e10s: https://crash-stats.mozilla.com/report/index/2fb1e30e-d9f8-4862-8a5c-aded72151229 So this is essentially: function beep() { var sound = "whatever"; sound.play(); beep(); } We should be showing a slow script dialog but we're not. I don't know why. I also don't know if this needs to stay sec-sensitive.
Blocks: eviltraps
Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, crashreportid, testcase
Product: Firefox → Core
>I also don't know if this needs to stay sec-sensitive. Just a precaution. My RAM fills up and I didn't checked if this could lead a serious problem.
CC list accessible: false
Not accessible to reporter
CC list accessible: true
Accessible to reporter
Group: core-security
Crash Signature: [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ]
Keywords: csectype-oom
Whiteboard: [sg:dos]
If this is an incorrect triage, please correct as you see fit. Thanks.
Component: Untriaged → Audio/Video
Doesn't crash but stops responding. Louis - do your changes fix this issue?
(In reply to Anthony Jones (:kentuckyfriedtakahe, :k17e) from comment #4) > Doesn't crash but stops responding. > > Louis - do your changes fix this issue? Nope, it doesn't hit any of my code, or even DecoderTraits or MediaFormatReader as far as I can see. The crash report posted above looks like it supports this too.
Priority: -- → P1
Ok, interesting. We should investigate and see whose code is spinning so hard.
Crash Signature: [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ] → [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NS_strndup ]
Component: Audio/Video → Audio/Video: Playback
Attached file bug1234842_jprof.html
jprof profile of letting this run for ~15 seconds. Lots of: [Main Thread]: D/nsMediaElement 7fcb23d04800 SuspendOrResumeElement(pause=0, suspendEvents=0) hidden=0 [Main Thread]: D/nsMediaElement 7fcb23d04800 Network state changed to NO_SOURCE [Main Thread]: D/nsMediaElement 7fcb23d05000 SuspendOrResumeElement(pause=0, suspendEvents=0) hidden=0 [Main Thread]: D/nsMediaElement 7fcb23d05000 Network state changed to NO_SOURCE and [Main Thread]: D/nsMediaElement 7f76a4871800 ChangeDelayLoadStatus(1) doc=0x0 [Main Thread]: D/nsMediaElement 7f76a4871800 Network state changed to LOADING [Main Thread]: D/nsMediaElement 7f76a4871800 Trying load from src=data:audio/wav;base64,//uQRAAAAWMSLwUIYAAsYkXgoQwAEaYLWfkWgAI0wWs/ItAAAGDgYtAgAyN+QWaAAihwMWm4G8QQRDiMcCBcH3Cc+CDv/7xA4Tvh9Rz/y8QADBwMWgQAZG/ILNAARQ4GLTcDeIIIhxGOBAuD7hOfBB3/94gcJ3w+o5/5eIAIAAAVwWgQAVQ2ORaIQwEMAJiDg95G4nQL..... and [Main Thread]: D/nsMediaElement 7f76bc675000 SuspendOrResumeElement(pause=0, suspendEvents=0) hidden=0 [Main Thread]: D/nsMediaElement 7f76bc678000 Created decoder 7f76a3916120 for type audio/mpeg [Parent 31256] WARNING: Unimplemented function NotifyDataArrived: file /home/jesup/src/mozilla/inbound_prof/dom/media/MP3Demuxer.cpp, line 89
Note: most of the time is spent here; may be a big clue: 2671 (43.4%) mozilla::dom::power::PowerManagerService::NewWakeLock(...)
Eugen - is this an MP3 related issue?
Flags: needinfo?(esawin)
Attached file Crash stack on Linux
It doesn't seem to hit any media code at all for me, it spins somewhere and eventually crashes in HTMLMediaElement::PlayInternal (when setting mPaused = false). I've attached the reproducing crash stack I get on Linux.
Flags: needinfo?(esawin)
I'm going to downgrade this to P3.
Priority: P1 → P3
Crashes Firefox 50.0.1: ID 10534eb1-662e-4bb9-b5f0-1bae52161130 see https://crash-stats.mozilla.com/search/?user_comments=~1234842
(In reply to :Gijs from comment #1) > This reproduces on Nightly still, and crashes the content process in e10s: > > https://crash-stats.mozilla.com/report/index/2fb1e30e-d9f8-4862-8a5c- > aded72151229 > > So this is essentially: > > function beep() { > var sound = "whatever"; > sound.play(); > beep(); > } > > We should be showing a slow script dialog but we're not. I don't know why. I > also don't know if this needs to stay sec-sensitive. I run FF nightly 59 and I could see the slow script appears. (testing on Mac and Ubuntu machine). Clicking on "Stop" button could stop the script. No crash for me. Dennis, could you confirm that? Thanks
Flags: needinfo?(dennis.knobloch)
Kevin, we are triaging evil trap bugs for Desktop at the moment. In this particular case the 'slow script' appears and you can just click stop which allows you to navigate to other tabs. In other words, it's not a DOS on Desktop. We were wondering if this bug might still be an issue for mobile. What do you think? Can we close as WORKSFORME or should we worry about mobile and keep this bug open and just mark it somehow 'evil trap on mobile' or something.
Flags: needinfo?(kbrosnan)
This is a crash/DOS on a Pixel 2 XL Android 8.1 * Firefox for Android Nightly - crash, no slow script dialog * Firefox for Android Beta - Slow script dialog, but it shows up too late for the browser to be recoverable, browser crashes * Firefox for Android Release - Slow script dialog, no crash, browser is not usable
Flags: needinfo?(kbrosnan)
Crash Signature: [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NS_strndup ] → [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NS_strndup ] [@ OOM | small ]
Flags: needinfo?(dennis.knobloch)
Crash Signature: [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NS_strndup ] [@ OOM | small ] → [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NS_strndup ] [@ OOM | small ] [IPCError-browser | ShutDownKill]
Crash Signature: [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NS_strndup ] [@ OOM | small ] [IPCError-browser | ShutDownKill] → [@ OOM | unknown | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NodePool::Builder::Add ] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | NS_strndup ] [@ OOM | small ] [@ IPCError-browser | ShutDownKill ]

Aside from general memory use reduction work there's not much we can do here. No specific activity expected on this bug.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: